Im glad that worked for you.

Are you aware that you dont need to add any DNS servers to PFS? It will do what is called resolving and ask the root servers for you. Bypassing the commercial servers you go directally to the source.

My DNS settings: Screenshot from 2025-01-21 08-21-15.png

Screenshot from 2025-01-21 08-22-09.png

685ef897-9dfa-4656-81a3-8cb04f4c40f8-image.png

I am aware of the resolver interval, is there a way to bypass one url

example imap.gmail.com always forward to 8.8.8.8 do not save in firewall dns namesever for reuse

thus every time it gets the new ip address google has for the mail server, they change so fast the firewall can't keep up so the mail app at times says error after 5 mins it will resolve but that is unacceptable for modern use.

@laov said in Override website address (DNS lookup):

Thus I would like to automatically redirect all website.com lookups to website.net.

Both have the same IPv4 and or IPv6 ?

@johnpoz
I mostly do, except some university classes require we use it.
R.png

So, after some further digging, I discovered a couple things.

You have to actually assign the tunnel to an interface The MacOS Wireguard app doesn't support .ddns.net domains

Thank you for your help, once I assigned the interface correctly everything worked like a charm.

@bob-dig Yes, I can ping the domain name and receive a response from the firewall.

@gertjan said in How to remove old IP entry of host:

Look here Services > DNS Resolver > General Settings at the bottom of the page.
Check also Services > DHCP Server > (any LAN) at the bottom of the page : "DHCP Static Mappings for this Interface"

Thanks for the hint with the DCHP server. I totally forgot about it. I looked in both and found that there is a static DHCP lease in the DCHP server list. But it is shown no where else in the DCHP server and so I couldn't delete it. Then I remembered that this old IP is the an IP of the range of an old now disabled interface. Luckily I only disabled the interface and not deleted it. So I enabled it which created a tab in the DCHP Server menu with this interface and the static mapping of the old IP. I removed it, disabled the interface again and now I am happy!

Solved!

@bmeeks Thank you for the link! I am indeed using both traffic shaping and limiters; and there is necessity in it, so I don’t want to switch off them. I had had some floating rules for DNS (high priority) and I have improved them according to the post you provided - but with no results, unfortunately.
Actually I don’t care about the lines ‘No buffer space available’ in resolver.log as long as they don't cause my major issue. And it is hard to establish the link between them because it requires probably too much time to wait the next DNS resolving dysfunction with traffic shaping and limiters off (it happens sometimes a few times a day, sometimes one time in fortnight).
I have also changed my hardware and I’m waiting for the results… I’ll describe the details a bit later.

@bp81 I believe we have found the resolution, and I wanted to post it here for anyone else encountering the issue.

In our DNS forwarder, we had a domain override set for our company's domain. This is the same domain in the hostname for the remote gateway listed above. The domain override was pointing at a DNS server that is not accessible without the tunnel up. Clearly this was causing the IPSec service to fail repeatedly to establish its tunnel.

So there was a misconfiguration on our part which we have fixed. I still maintain that it's a bug if the ipsec service causes the web gui to crash / become unresponsive even when it's a self induced failure state due to misconfiguration. I understand it's possible this may be a limitation of the ipsec service, but it is worth looking at even if it is an edge case.

@giminik You can assign subdomains at the interface's DHCP server tab.

Domain name: "The default is to use the domain name of this system as the default domain name provided by DHCP. An alternate domain name may be specified here."

So you can end up with
-firewall.home or firewall.lan.home
-firewall.lan2.home
-firewall.dmz1.home
-firewall.dmz2.home

Feliz fin de año a todos y que la pasen bien.

Después de investigar mas sobre las reglas del firewall, el portal cautivo, dns resolver y sobre las Zonas desmilitarizadas (DMZ), pude solucionar el problema de la redirección del portal hacia mi servidor web, tuve que borrar algunas reglas anteriores que en mi caso no son importantes.

Luego de configurar la interfaz de la DMZ, darle acceso a la red LAN con las reglas del firewall, le di un dominio a la ip del servidor WEB con el DNS resolver y en el portal cautivo en "after authentication redirect" colocar ese dominio, tuve como resultado que cada usuario que se conecte a mi router pueda ser redireccionado al portal cautivo y de ahí autenticarse con solo hacer click al botón que está por defecto del pfsense (Que con un poco de css, html y no puede faltar javascript voy a cambiarle el estilo con respecto a mi proyecto) de ahí ser redireccionado a mi pagina web al fin.

Bueno no del todo, mis pruebas se limitaron a dispositivos móviles en el cual no me ha dado el resultado que pienso que debería dar, ya que por lo menos en android al conectase de manera intuitiva (no por el navegador si no por un programa que desconozco) me lleva al portal para autenticarme, clikeo el botón y me redirecciona automáticamente a mi pagina web pero al pasar 1 o 2 segundos se cierra el programa que abre el portal cautivo y claro por ende ya me deja navegar e ingresar de nuevo a mi pagina web, pero ya saben tengo que abrir el navegador y tipear la url, la idea es que se quede en la pagina que me redireccionó ósea en mi pagina web.

Me imagino que en otros sistemas operativos diseñados para computadoras eso no debería pasar ya que el usuario tendría que abrir el navegador, buscar algo y por naturaleza del pfsense ser redireccionado al portal cautivo, y como ya está en el navegador este no tiene porque cerrarse como me pasó a mi en el celular.

Solo me queda arreglar eso y bueno, tal vez me aventure a buscar manera que los usuarios no busquen otra cosa fuera de mi servidor web, que ya con una regla de firewall les quito el acceso a internet pero me gustaría que fuesen redireccionados al mismo si eso pasa.

Buenas noches.

OK, problem solved! I noticed that the disk was at 100% It seems the Suricata logs had filled the drive, so I enabled the hard limit for their log size, disk usage dropped to 56% and DNS now starts :o)

Maybe a more obvious warning if the disk fills up or more useful logging for the DNS service would be a useful addition in the future?

After looking closely at my rules, I found that my source was set for an address as opposed to the network. One quick change and all was good in the Universe!

@KOM said in Setting up DNS *correctly*:

enable resolver, disable forwarder, check DNS Query Forwarding and put 1.1.1.1 under System - General Setup - DNS Servers.

This is the exact configuration I went with. Thank you very much for the help!

@bahsig

This was the first thing I tried to do and was stumped cause it wouldn't let me.

Now it just let me.

Mind blown.

Thanks!

@marvosa I had already opened the case yesterday, follow the link

https://forum.netgate.com/topic/142192/slow-navigation-after-connecting-openvpn-problem-with-host-to-site-dns-resolution/3

Thank you.